Cisco ASA 5500 Series Security Appliance that runs version 7.x or above

FWSM that runs version 3.1.x or above

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

PPTP is described in RFC 2637. This protocol uses a TCP connection that uses port 1723 and an extension of generic routing encapsulation (GRE) [protocol 47] to carry the actual data (PPP frame). The TCP connection is initiated by the client, followed by the GRE connection that is initiated by the server.

Version 6.2 and Earlier Information

Because the PPTP connection is initiated as TCP on one port and the response is GRE protocol, the PIX Adaptive Security Algorithm (ASA) does not know that the traffic flows are related. As a result, it is necessary to configure ACLs to allow the return traffic into the PIX. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.

Version 6.3 Information

The PPTP fixup feature in version 6.3 allows the PPTP traffic to traverse the PIX when configured for PAT. Stateful PPTP packet inspection is also performed in the process. The fixup protocol pptp command inspects PPTP packets and dynamically creates the GRE connections and translations necessary to permit PPTP traffic. Specifically, the firewall inspects the PPTP version announcements and the outgoing call request/response sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further inspection on the TCP control channel is disabled if the version announced by either side is not Version 1. In addition, the outgoing call request and reply sequence is tracked. Connections and/or translations are dynamically allocated as necessary to permit subsequent secondary GRE data traffic. The PPTP fixup feature must be enabled for PPTP traffic to be translated by PAT.

Version 7.x Information

The PPTP Application Inspection Engine in version 7.x operates in the same fashion as fixup protocol pptp does in version 6.3.

Complete these steps in order to add commands for versions 7.x and 8.x that use ACL. (This configuration assumes the PPTP client and the server IP addresses are the same as for L2TP client and server.)

Define the static mapping for the inside PC. The address seen on the outside is 192.168.201.5.

In this configuration example, the L2TP server is 192.168.201.5 (static to 10.48.66.106 inside), and the L2TP client is at 192.168.201.25. (This configuration assumes the PPTP client and server IP addresses are the same as for L2TP client and server.)

The outside L2TP client tries to establish the L2TP over IPsec VPN connection with the inside L2TP server. In order to allow the L2TP over IPsec packets through the middle PIX/ASA, you must allow the ESP, ISAKMP(500), NAT-T, and L2TP port 1701 to establish the tunnel. The L2TP packets are translated in PIX and sent through the VPN tunnel.

You can only have one PPTP/L2TP connection through the PIX Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the PIX Security Appliance only maps port 0 to one host. The workaround is to enable PPTP inspection on the security appliance.

When you try to connect to PPTP VPN inbound, this error message appears:

Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.

This issue usually occurs when the PPTP or L2TP passthrough is not enabled on intermediate ASA between the client and the headend device. Enable PPTP or L2TP passthrough and check the configuration in order to resolve the issue.

This example shows a PPTP client inside the PIX initiating a connection to a PPTP server outside the PIX when there is no ACL configured to allow GRE traffic. With logging debug on the PIX, you can see the TCP port 1723 traffic initiation from the client and the rejection of the GRE protocol 47 return traffic.

If you still need assistance after following the troubleshooting steps above and want to open a service request with the Cisco TAC, be sure to include the following information.

Problem description and relevant topology details

Troubleshooting performed before opening the service request

Output from the show tech-support command

Output from the show log command after running with the logging buffered debugging command, or console captures that demonstrate the problem (if available)

Please attach the collected data to your service request in non-zipped, plain text format (.txt). You can attach information to your service request by uploading it using the Service Request Query Tool (registered customers only) . If you cannot access the Service Request Query Tool, you can send the information in an email attachment to attach@cisco.com with your service request number in the subject line of your message.